Closed Bug 840271 Opened 11 years ago Closed 11 years ago

Gallery exposes GPS EXIF data when sharing photos to third party apps

Categories

(Firefox OS Graveyard :: Gaia::Gallery, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Gallery
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(b2g18+)

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
b2g18 + ---

People

(Reporter: st3fan, Assigned: djf)

References

Details

(Keywords: privacy) 

When the Gallery app is used to share photos with another app, it exposes the full JPEG file, including the attached EXIF data.

The EXIF data may also contain GPS location data which is then shared with the third party app even if that app has no permission to see the GPS.

Note that this is the reverse of bug 840223 - that bug is about calling the Gallery FROM a third party app. This is is about sharing photos TO a third party app from the Gallery.

I am not completely sure what the correct behavious is. In my opinion it is not right to share GPS data on photos with third party apps without user consent but this can be debated.

Note that Apple got in a lot of trouble when it became clear that photos from the iOS photo gallery app had the same GPS data attached.

They have since fixed that with stricter permissions and asking the user to opt-in to photo access with a dialog that specifically mentions that the app will be able to see where the photo was taken.
I think this would be surprising behaviour to the user - and, as Stefan pointed out already, we know this bit Apple already. "normal users" don't know what EXIF is, or that it can be used to determine their location. 

Can we either change the behaviour or add information so we're more explicit that this can happen?
For reference, my test app and upload receiver script that I used to test this:

https://github.com/st3fan/fxos-pocs/tree/master/bug-840271-gallery-leaks-gps-info
Keywords: privacy
Which is the surprising part, and what behavior would people actually live with?

If we automatically strip EXIF data when exporting from the gallery won't users be unhappy with that in many cases? After all, if they didn't want location data on their photos we'd hope they turned that feature off. If they left it on because they wanted location data in their photos how are we supposed to know when they do and don't want it exposed?

Do we ask and store a permission matrix for which apps get sanitized and which an untouched version of each photo? When an app tries to touch a photo with geolocation data do we put up the prompt as if the app had actually asked for the geolocation API? That's arguably wrong on many levels:
* the user might thing the app got the current location, when
  really it was accessing historical locations
* the user might accidentally leave the "remember this choice"
  button selected (I'll grouse about THAT default elsewhere)
  and then that app will have the geolocation ability for ever.
** Or maybe not: if that app tried to use the actual geolocation
   API we might notice that permission isn't in its manifest

Always stripping the data is at least privacy protective, even if some people will think it's too protective some of the time.
I would strongly argue against automatically stripping exif tags out of images. The gallery isnt ever responsible for capturing photos, and it shouldn't be changing photos. I think we definitely need this control in the camera app, but I dont think we would want automatic stripping of exif data in the gallery. 

Perhaps we might want to add a checkbox to the image chooser which says something like "include exif location data" and have it off by default.But that sounds like a feature of the gallery to me - not a fix for a "vulnerability".
I trust the gallery and camera but i don't trust apps using the photos that i give them, so ideally i would approve the *export* on a case by case basis or just globally per app.

"These photos contain GPS data. Do you want to allow Twitter to see this information." Yes/No+RememberMyChoice.
Stefan - Do you think this is worth tracking for v1? Important enough to stop ship?
FYI : Bug 811947 - [camera] Geolocation EXIF data is not placed in the picture when geolocation is turned on
tracking-b2g18: --- → +
I find Paul's argument--that this is an issue for the camera app, not the gallery app--pursuasive.  But I find Stefan's argument--that apple got in trouble for this--scary.

If this is tracking b2g18, we need to make a decision right away.  Here are the choices I see:

1) Do nothing. Mark this bug WONTFIX and make sure the user has a way to turn off the GPS in the camera

2) Automatically strip GPS info from all photos that are shared

a) strip all EXIF tags: this is quick and easy: just copy the image to a canvas and then convert it back to a blob. Trivial to implement, gut it strips benign and useful EXIF tags, and the decode/encode cycle reduces image quality

b) Actually write the JS code to find the GPS tags in the photo and overwrite them. I don't think I want to get into the business of actually changing the file length, but I can change the latitude and longitude so all photos look like they are taken at the north pole or at 650 Castro St. or the top of Mt. Everest or something. 

3) Ask the user what to do. This will involve all the work of option 2, plus will require UX work.

a) Ask every time the user taps the Share button

b) Ask the first time the user taps the share button and remember their response. This would require adding some new UX that would allow the user to change their mind, which seems out of scope for v1.

c) Add a new panel to the Settings app under Privacy & Security that allows the user to choose whether the camera records GPS tags and whether the gallery strips them. The user should be able to select "always ask, always share location tags, always strip location tags".  The default would be to always ask. 

I'm tempted to go with option 1. But instead I think we should do 2b and 3c.  That would make this a [LOE:M] bug, and we'd need to get UX involved ASAP.  Cc'ing casey.
I'm taking the bug but need someone to make a decision about how we should handle this.

Nominating Lucas for a decision because he's high enough up the org chart and because of his security background.  Lucas: what do you think? Does the plan described in comment 8 sound good?
Assignee: nobody → dflanagan
Flags: needinfo?(ladamski)
Needinfo-ing Casey too, so he doesn't forget it.
Flags: needinfo?(kyee)
From a product perspective, the team does not believe this is a blocking issue.  Per comment 8, we are supportive of option 1.  

Like others mentioned, if the user has explicitly granted the Camera app permission to capture location data it would be odd for us to strip that data.  We could add a notification to the user letting them know the first time they decide to share a photo that location data has been captured, but this would be optional.
I agree with option 1 actually.  Other platforms use the geolocation permission in the camera app to control whether or not to embed location data in the photo.  Once embedded, its up to the user to control how that is shared, as the sharing activity is not the only way to share photos with other people/apps/servers.
Flags: needinfo?(ladamski)
Chris and Lucas say that this is a camera issue, not a gallery issue, so WONTFIXing it.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(kyee)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.